How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

splunkbeginner — Tue, 29 Sep 2020 23:24:06 GMT

I have specified the following variables to extract from my Symantec DLP system and send them to Splunk.

Message = ID: $INCIDENT_ID$, Policy Violated: $POLICY$, Rules: $POLICY_RULES$, Count: $MATCH_COUNT$, Protocol: $PROTOCOL$, Recipient: $RECIPIENTS$, Sender: $SENDER$, Severity: $SEVERITY$, Subject: $SUBJECT$, Target: $TARGET$, Filename: $FILE_NAME$, Blocked: $BLOCKED$, Endpoint: $ENDPOINT_MACHINE$

The following are the search results using the “sourcetype=symantec:dlp:syslog”

Feb 21 09:39:11 192.168.1.5 Feb 21 09:40:23 ABCcompany Message = ID: 97712, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail2.txt, Blocked: None, Endpoint: PC_David

Feb 21 09:43:48 192.168.1.5 Feb 21 09:46:23 ABCcompany Message = ID: 97713, Policy Violated: IT-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint Removable Storage Device, Recipient: N/A, Sender: N/A, Severity: 1:High, Subject: N/A, Target: N/A, Filename: Confidentail.txt, Blocked: None, Endpoint: PC_David

Feb 21 09:43:48 192.168.1.10 Feb 21 09:46:23 ABCcompany Message = ID: 97714, Policy Violated: HR-IDM-Policy, Rules: [UNKNOWN VARIABLE: POLICY_RULES], Count: 3, Protocol: Endpoint HTTPS, Recipient: Unknown, Sender: 192.168.2.122, Severity: 1:High, Subject: N/A, Target: N/A, Filename: N/A, Blocked: None, Endpoint: PC_Ryan

I would like to create a pie chart comparing number (better with percentage) of policies violated; which should be 2 IT-IDM-Policy (66%), and 1 HR-IDM-Policy (33%).
I have extracted a field named “Policy_Violated” by regular expression ^(?:[^:\n]*:){6}\s+(?P[^,]+). And the results are expected as follows:

Values Count %
IT-IDM-Policy 2 66.6
HR-IDM-Policy 1 33.3

But then what search keywords shall be used in order to generate statistic or visualization results which can be used afterwards to create a pie chart?

Re: How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

pkeenan87 — Thu, 21 Feb 2019 14:24:16 GMT

Try this search:

sourcetype=symantec:dlp:syslog | stats count by Policy_Violated

Here is a link to all the cool stuff you can do with the stats command: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/Stats

I also suggest specifying an index in your search to limit the scope, something like this:

index=<> sourcetype=symantec:dlp:syslog | stats count by Policy_Violated

Re: How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

splunkbeginner — Fri, 22 Feb 2019 01:08:17 GMT

Thank you pkeenan87. it really helps.

topic Re: How to generate statistic or visualization results for Splunk Add-on for Symantec DLP? in Knowledge Management

How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

Re: How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?

Re: How to generate statistic or visualization results for Splunk Add-on for Symantec DLP?